Define the path to the targets (Transition graphs)

Apply trust boundaries (security measures)

Define the weaknesses of the security measures adopted

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

TextField Static Password

Risk Evaluation:

Vulnerable to vast majority of all Banking Malware families in their default configuration

Static Password

Description

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

How gets defeated

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. KeePassX ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

Javascript Keyboard

Risk Evaluation:

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

Javascript Keyboard

Description

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of "turing test" that could be understood by human users but not by malicious software agents.

How gets defeated

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

ICE IX

ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

Carberp

After ZeuS and SpyEye the third advanced Malware Banking Trojan is Carberp, that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Shylock

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:

Gathering system information on compromised system and sends it to dropzone

Oddjob

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

Intercepts GET and POST requests

HTML Code Injection via MiTB Approach

Session Hijacking

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.